linux/drivers/target
David S. Miller 676d23690f net: Fix use after free by removing length arg from sk_data_ready callbacks.
Several spots in the kernel perform a sequence like:

	skb_queue_tail(&sk->s_receive_queue, skb);
	sk->sk_data_ready(sk, skb->len);

But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up.  So this skb->len access is potentially
to freed up memory.

Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.

And finally, no actual implementation of this callback actually uses
the length argument.  And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.

So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.

Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.

Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-11 16:15:36 -04:00
..
iscsi net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
loopback tcm_loop: Enable DIF/DIX modes in SCSI host LLD 2014-01-19 02:22:06 +00:00
sbp target: Remove TF_CIT_TMPL macro 2013-10-16 13:35:02 -07:00
tcm_fc percpu_ida: Make percpu_ida_alloc + callers accept task state bitmask 2014-01-23 20:17:18 +00:00
Kconfig target/iblock: Add blk_integrity + BIP passthrough support 2014-01-18 10:14:22 +00:00
Makefile target: Add support for EXTENDED_COPY copy offload emulation 2013-09-10 16:48:43 -07:00
target_core_alua.c target: Fix 32-bit + CONFIG_LBDAF=n link error w/ sector_div 2014-02-12 15:11:02 -08:00
target_core_alua.h target_core_alua: Referrals configfs integration 2014-01-09 21:48:35 -08:00
target_core_configfs.c target/configfs: Expose protection device attributes 2014-01-18 09:57:47 +00:00
target_core_device.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-01-31 15:31:23 -08:00
target_core_fabric_configfs.c target: Fix sizeof in kmalloc for some default_groups arrays 2013-12-16 12:42:20 -08:00
target_core_fabric_lib.c target: Update copyright ownership/year information to 2013 2013-09-10 20:23:36 -07:00
target_core_file.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-01-31 15:31:23 -08:00
target_core_file.h Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-01-31 15:31:23 -08:00
target_core_hba.c target: Update copyright ownership/year information to 2013 2013-09-10 20:23:36 -07:00
target_core_iblock.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-01-31 15:31:23 -08:00
target_core_iblock.h target: kill struct se_subsystem_dev 2012-11-06 20:55:43 -08:00
target_core_internal.h target/configfs: Expose protection device attributes 2014-01-18 09:57:47 +00:00
target_core_pr.c target: Fix free-after-use regression in PR unregister 2014-02-12 15:11:01 -08:00
target_core_pr.h drivers: target: Move prototype declaration of function to header file target_core_pr.h 2014-01-09 21:48:36 -08:00
target_core_pscsi.c target/pscsi: fix return value check 2013-10-25 10:42:09 -07:00
target_core_pscsi.h target: kill struct se_subsystem_dev 2012-11-06 20:55:43 -08:00
target_core_rd.c target/rd: Add DIF protection into rd_execute_rw 2014-01-19 02:22:06 +00:00
target_core_rd.h target/rd: Add support for protection SGL setup + release 2014-01-19 02:22:05 +00:00
target_core_sbc.c Target/sbc: Fix sbc_copy_prot for offset scatters 2014-03-06 20:52:11 -08:00
target_core_spc.c target: Fix missing length check in spc_emulate_evpd_83() 2014-02-12 15:11:04 -08:00
target_core_stat.c target: Convert se_device statistics to atomic_long_t 2013-11-13 18:34:55 -08:00
target_core_tmr.c target: Convert se_device statistics to atomic_long_t 2013-11-13 18:34:55 -08:00
target_core_tpg.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-01-31 15:31:23 -08:00
target_core_transport.c target: Add DIF sense codes in transport_generic_request_failure 2014-02-23 16:31:24 -08:00
target_core_ua.c target: Remove unused ua_dev_list member in struct se_ua 2013-12-16 12:39:04 -08:00
target_core_ua.h target core: rename (ex,im)plict -> (ex,im)plicit 2013-11-20 11:24:40 -08:00
target_core_xcopy.c drivers: target: Move prototype declaration of function to header file target_core_pr.h 2014-01-09 21:48:36 -08:00
target_core_xcopy.h target: Add support for EXTENDED_COPY copy offload emulation 2013-09-10 16:48:43 -07:00